TMC NEWS

TMCNET eNEWSLETTER SIGNUP

Security [Telegraph-Herald (Dubuque, IA)]

(Telegraph-Herald (Dubuque, IA) Via Acquire Media NewsEdge) Growing up, Caleb Barlow's father would leave the keys in the car, in case someone needed to use it.

Times have changed, and most of us lock our cars and homes.

But you might be leaving your valuable business information out for the taking.

Just as when you drive into a part of a city that looks shady and you lock your car and put valuables out of sight, you need to secure your and your customers' information.

Don't leave the windows open and the keys in the ignition on the Internet, which Barlow, vice president, Strategic Initiatives, Cloud & Smarter Infrastructure, IBM, compared to a "bad, nasty street."
While retail breaches have been highly reported - and weren't an issue a year ago - "this isn't just about retail," Barlow said. "All kinds of industries out there are still leaving the keys in the ignition."
It's ongoing
Cyber security an ongoing, fast-moving, ever-evolving effort. A castle with a wide, deep moat looks secure until someone with a canoe shows up. That's why castles have thick walls with guards on watch in addition to the moat.

"You've got to have layers of defense," said Barlow, based in Boston. "Every business is on the front line in this battle. As security professionals, we need to think about all the ways an attacker could come in. An attacker only needs one."
"There are lots of security tools and lots of different vendors willing to sell you security tools," Barlow said. "It's not about a particular set of tools. It's about momentum. You're constantly in motion."
Everyone is going to need to understand cryptology, which Barlow said means "I can unlock a door and go through in one direction, but can't go through the other direction without a different key. What I'm using matters, and how I'm using it matters."
A good security professional knows that attacks will come, and tries to protect the most important and valuable information, what Barlow calls "the crown jewels. You can't secure everything. It's really a game of securing the most vulnerable places. When you find a vulnerable place, you shore that up, and then move on to the next most likely."
lots of challenges
Barlow admits cyber security is a challenge for small businesses. But customers will look for and reward companies that protect their information, he said. A small business might want to outsource security or join a collective of other small businesses.

Find a secure, encrypted way to store information where "someone else is worried about what's the next threat."
"Organized gangs are making money. It's not somebody in a hoodie with a computer in an alley. These people have kids, go home at night, take vacations. In certain parts of the world, if you are a computer scientist, this is the best way to make a buck. You may not agree with what they do, but you have to respect the level of sophistication. These are large scale teams that have project plans and they might be better staffed and better funded" than the companies they attack, Barlow said.

"Several of the more high profile attacks were clearly done by professionals, and clearly done for monetary gain. There is evidence of sophistication. They are leveraging downstream suppliers to triangulate and elevate the attack."
What to do
Businesses can take steps to improve their security posture.

"You need to have your software up to date. If you don't know how, you need to ask somebody," said Joel Althoff, president of Infrastructure Technology Solutions in Monticello, Iowa.

"I recommend a spam filter to block some of those phishing attempts," he said.

"The issue used to be that people were doing hacking basically to make a name for themselves," Althoff said. Now, an individual's information isn't worth much on its own, but bundled in groups of 200 or more, there is money to be made.

After April 8, Microsoft stopped sending updates for Windows XP.

"About 30 percent of machines are still using Windows XP, so that's opening up a pretty gigantic level of risk," Althoff said. "Windows XP has been around for 12 years. It was a good operating system, but it's no longer adequate."
in the air
Storing information in the cloud just means it is on the Internet and accessible from any computer as long as the user has the password. It is a network of servers, and might save businesses from having to buy hardware.

"Typically cloud providers are going to have their own layers of security," Althoff said. "We do a lot of cloud hosting for people. We design the environment around security. Security is built in from the ground up."
Look at the cloud as a safety deposit box, Barlow said. You can store your diamonds in the mattress, but if you put them in a safety deposit box, you get the bank's level of security for a relatively small fee.

"If you don't have a chief information security officer, you probably need one, even for a relatively small business. A CISO is about managing risk," Barlow said.

A bull's-eye
If you serve customers who are targets, you are a target, too. The best way in is a weak link in the chain.

"I think larger businesses with a dedicated IT department are aware of security threats, but smaller companies with a part-time or no real IT departments are having a tougher time getting past the 'I'm too small to be a target' mentality," said Ron Markus, computer systems manager for Klauer Manufacturing Co.

The biggest risk comes from inside users clicking on ads or opening suspect email attachments or links, he said.

"We have routers connecting us to outside world that can remove most threats before they reach users," Markus said. "We also do not allow running an application from the Internet. They have to save the program first, then run it. This prevents drive-by installations from a rouge Internet page."
The company implemented a web monitoring program to restrict access to compromised websites.

Markus monitors security sites to watch for new threats. "If I see something trending up, I will put out a notice to our users to watch for the next known threat."
(c) 2014 ProQuest Information and Learning Company; All Rights Reserved.